Create ldap users LWRP


#1

Maybe I am missing something… I am surprised that I cannot find a LWRP
to create ldap users. I would have thought it common to iterate over a
data_bag set managing ldap users. When I search around I do not find
evidence that this is common, i.e. no LWRP for creating ldap users…
Would this be a bad practice for some reason I do not see? Or is there
some other reason no one has yet to create and publish a LWRP for this?

Thanks,


Jay Flowers

http://jayflowers.com


#2

My first thought would be simply that it isn’t an easy task to accomplish,
most ldap servers store their content in a database, so you’d need to
interface through an API for adding the users.

Which LDAP head would you support? 389 ladp? openldap? active directory?
Which attributes would you support? there is the somewhat standard way that
rhel families expect you to configure things, the naming style that
authconfig expects, though you can override everything… then there’s the
way debian expects things to be named. group membership can be defined as
having the groups list be an string attribute of the user, or a user list
be a string attribute of the group, or you can use one of three different
object types and structures to assign user/group relationships…

I’d say go for it :slight_smile:
In my group we threw up our hands at ldap and went for AD (which also
supports tie-in with the routers and firewalls, and it looks easier to
develop an openid auth service that is backed by AD than one backed by
ldap, which would get us central authentication to chef as well)

On Sun, Dec 30, 2012 at 10:57 AM, Jay Flowers jay.flowers@gmail.com wrote:

Maybe I am missing something… I am surprised that I cannot find a LWRP
to create ldap users. I would have thought it common to iterate over a
data_bag set managing ldap users. When I search around I do not find
evidence that this is common, i.e. no LWRP for creating ldap users…
Would this be a bad practice for some reason I do not see? Or is there
some other reason no one has yet to create and publish a LWRP for this?

Thanks,


Jay Flowers

http://jayflowers.com


#3

We had an interesting discussion around this at the community summit. The context was mostly around AD but the consensus was that most people using AD/LDAP do so because they already have a great interface or good software for managing users and there was no use building this into Chef. However there was a desire to be able to communicate with an existing LDAP infrastructure, for example a nice library to check if a user is in a particular group.


Paul Mooring
Systems Engineer and Customer Advocate

From: Jay Flowers <jay.flowers@gmail.commailto:jay.flowers@gmail.com>
Date: Sunday, December 30, 2012 8:57 AM
To: chef-dev <chef-dev@lists.opscode.commailto:chef-dev@lists.opscode.com>
Subject: [chef-dev] Create ldap users LWRP

Maybe I am missing something… I am surprised that I cannot find a LWRP to create ldap users. I would have thought it common to iterate over a data_bag set managing ldap users. When I search around I do not find evidence that this is common, i.e. no LWRP for creating ldap users… Would this be a bad practice for some reason I do not see? Or is there some other reason no one has yet to create and publish a LWRP for this?

Thanks,


Jay Flowers

http://jayflowers.com